APS security token renewal mechanism

Symptoms

This article contains general information about APS security token generation and renewal procedure.

Resolution

In APS security model, all interaction with APS controller from JavaScript views is done using security tokens. Token is generated for specific user and it provides access to all resources available in that user's context.

Each time a page is loaded in POA UI, a token is generated for currently logged in user. It is then stored in aps.context.token JavaScript variable in the APS frame context.

All tokens have an expiration timeout. This is done to prevent any malicious party from using it if a user accidentally left his machine without locking it.

Default expiration timeout is 30 minutes in both POA 5.5 and 6.0.

NOTE: Token is generated when the page is loaded, we have a feature request to automatically renew it each time a token is used.

In addition to this, one can change token expiration timeout by update in POA database. However, on all production POA environments timeout will always be equal to 30 minutes and such modifications may only be attempted for testing/development purposes. Here are the timeout values (in seconds) in POA database: